ADJUDICATION PROCESS

3.1 Introduction

Adjudication plays an integral role in the enforcement of any law as it ascertains the rights and
obligations of parties involved in a dispute and prescribes the corrective actions and remedies.
In the context of a data protection law, adjudication entails an assessment of whether and to
what extent data protection rights of an individual have been infringed by a data controller, the
loss or damage suffered by the individual due to the said infringement, the remedies available
to the individual as well as the penal consequences that the data controller may be liable for.
Given the technical and specialised nature of the issues that may arise while adjudicating under
a data protection law, it is imperative to evaluate the shortcomings of existing adjudicatory
mechanisms in India in this field and propose an adjudicatory framework along with the
remedies that may be available (the substantive issues relating to ‘Remedies’ is dealt with in
Part IV, Chapter 4 of the White Paper).

3.2 Issues

Under the extant Indian legal framework, specifically the IT Act, a special class of officers
called ‘adjudicating officers’ are appointed for hearing and adjudicating cases pertaining to
violations of the provisions of the IT Act or of any rule, regulation, direction or order made
thereunder.1 The IT Act also specifies certain disputes in relation to which the adjudicating
officer has the power to adjudicate.2

An adjudicating officer is an officer not below the rank of a ‘Director’ to the Government of
India or an equivalent officer of a State Government and is required to have such experience
in the field of information technology and legal or judicial experience as may be prescribed. 3
Further, an adjudicating officer is required to adjudicate matters in which the claim for injury
or damage does not exceed Rs. 5 crores.4 Moreover, while adjudicating, an adjudicating officer
shall have the powers of a civil court.5

It is relevant to note that the adjudicatory functions discharged by adjudicating officers

primarily relate to fraudulent transactions from bank accounts on account of failure to maintain

1
Section 46(1), IT Act.
2
Sections 43 (Penalty and compensation for damage to computer, computer system, etc.), 43A (Compensation
for failure to protect data), 44 (Penalty for failure to furnish information, return, etc.) and 45 (Residuary penalty),
IT Act.
3
Section 46(1) and (3), IT Act.
4
Section 46(1A), IT Act. Please note that jurisdiction in respect of a claim for injury or damage exceeding Rs. 5
crores shall vest with the competent court.
5
Section 46(5), IT Act. All proceedings before an adjudicating officer shall be deemed to be judicial proceedings
within the meaning of Sections 193 and 228, IPC, shall be deemed to be a civil court for the purposes of Section
345 and 346, CrPC and shall be deemed to be a civil court for the purposes of Order XXI, Civil Procedure Code,
1908 (CPC).
reasonable security practices6 and as such, it appears that such orders may not per se relate to
other aspects of data protection violation.

So far as the appellate mechanism under the IT Act is concerned, prior to the enactment of the
Finance Act, 2017 (Finance Act), appeals from decisions of adjudicating officers lay before the
CyAT set up under Section 48 of the IT Act. The CyAT, which started functioning in 2006,
was set up with a specific mandate to hear appeals on matters where the jurisdiction of civil
courts was barred, i.e. where the claim for injury or damage does not exceed Rs. 5 crores.7
However, the CyAT has, as of 31 March 2017, passed merely 17 judgments and has passed no
judgement after 30 June 2011.8 Moreover, the chairman’s position for the CyAT has been lying
vacant since July 2011 and consequently, though appointment of members has been carried on,
a bench to hear the matters has not been constituted in the absence of a chairman.

In order to bring about rationalisation of tribunals, uniformity in service, efficiency and cost
optimisation9, the IT Act was amended by the Finance Act to confer the powers of the CyAT
to hear appeals from the decisions of the adjudicating officers to the Telecom Disputes
Settlement and Appellate Tribunal (TDSAT or Appellate Tribunal)10. There are concerns on
whether the current resources, capacity and infrastructure of the Appellate Tribunal can take
on the additional mandate of discharging the functions of the CyAT11.

Upon adjudication, the adjudicating officer under the IT Act has the power to give remedies in
the form of either a civil penalty imposed upon the defaulter or grant compensation to the
aggrieved individual. Section 43A of the IT Act stipulate that any person who commits the acts
specified under the said provision shall be liable to pay damages by way of compensation to
the person so affected.12 Given that there does not appear to be any specific limit on the amount
of compensation payable under this provision, it follows that a person affected by an
infringement may assess the damages on her own so long as the amount assessed does not

6
Sreenidhi Srinivasan and Namrata Mukherjee, ‘Building An Effective Data Protection Regime’, Vidhi Centre
For Legal Policy 19 (January 2017). Also see Ram Techno Park v. State Bank of India, Complaint No. 9 of 2012,
Adjudicating Officer (Maharashtra) Order dated 22 February 2013, available at:
https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RamTechno_Vs_SBI-22022013.pdf, (last
accessed 23 October 2017) and M/s Shreenivas Signs Pvt. Ltd. v. IDBI Bank Ltd., Complaint No. 12 of 2013,
Adjudicating Officer (Maharashtra) Order dated 18 February 2014, available at:
https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SreenivasSigns_Vs_IDBI-18022014.PDF,
(last accessed 23 October 2017).
7
Section 61, IT Act.
8
See ‘Judgments’, Cyber Appellate Tribunal, available at http://cyatindia.gov.in/Judgement.aspx (last accessed
22 October 2017).
9
Radhika Merwin, ‘Merger of tribunals to rationalize working’, Hindu Business Line (23 March 2017), available
at: http://www.thehindubusinessline.com/economy/policy/merger-of-tribunals-to-rationalise-
working/article9598534.ece, (last accessed 22 October 2017).
10
The TDSAT is established under Section 14 of the TRAI Act. An appeal from the TDSAT lies with the Supreme
Court of India (as per Section 18, TRAI Act).
11
It is relevant to note that in 2004, the TDSAT’s jurisdiction was extended to cover broadcasting services.
Moreover, per the Finance Act, the mandate of the Airports Economic Regulatory Authority Appellate Tribunal
has also been transferred to the TDSAT (in addition to that of the CyAT).
12
Similar provision is contained in Section 43, IT Act.
exceed Rs. 5 crores.13 Furthermore, in case of a contravention of the provisions of the IT Act
for which no penalty has been prescribed separately, the defaulting person shall be liable to
pay a penalty not exceeding Rs. 25,000 or compensation not exceeding Rs. 25,000.14

Compensation, as a remedy under Section 43A of the IT Act is extremely limited and is
applicable where a body corporate fails to maintain and implement reasonable security
practices and procedures. Moreover, for any other violation of the provisions of the IT Act (for
which no separate penalty is prescribed), the amount of compensation that may be claimed is
limited to Rs. 25,000. In the context of adjudication of disputes pertaining to data protection
violation, it may be relevant to consider the extent to which adjudicatory bodies may grant
compensation to an aggrieved party and consequently, determine the jurisdiction and powers
of adjudicatory bodies in this regard.

3.3 International Practices

European Union

Under the EU GDPR, the supervisory authority set up in every Member State has the power to
investigate complaints relating to the breach of any of the rights of the data subject. 15 The
supervisory authority has a wide range of investigative powers16 and corrective powers.17 A
data subject may file a complaint with the supervisory authority where she considers that the
processing of personal data related to her infringes the EU GDPR.18 The supervisory authority
has the power to impose an administrative penalty on the data controller where the latter has
breached the provisions of the EU GDPR.19 The data subject, however, also has the right to
bring an appeal or seek a remedy from the competent courts of the Member States where the
supervisory authority is established where the said authority does not handle the complaint or
does not inform the data subject about the progress or outcome of the complaint within the
prescribed time limit.20

United Kingdom

Under the UK DPA, the Information Commissioner has several powers including the power to
issue ‘enforcement notices’ to data controllers in case of contravention of the provisions of the

13
Please note that for a claim above Rs. 5 crores, the claim will be filed with a civil court having competent
territorial and pecuniary jurisdiction. In other words, when such a claim is filed with a civil court, then the special
adjudicatory mechanism of the IT Act will no longer be the procedural law and the process will be governed by
the provisions of the CPC. See Apar Gupta, ‘Commentary on Information Technology Act’, 184 (Lexis Nexis,
2013).
14
Section 45, IT Act. Section 44, IT Act only prescribes a penalty for failure to furnish information, return, etc.
15
Article 57(1)(f), EU GDPR.
16
Article 58(1), EU GDPR.
17
Article 58(2), EU GDPR.
18
Article 77(1), EU GDPR.
19
Article 83, EU GDPR.
20
Article 78, EU GDPR.
UK DPA.21 The Information Commissioner also has the power to issue ‘assessment notices’22
and ‘information notices’ in order to determine whether the data controller has complied with
the provisions of the UK DPA.23 Where a data controller fails to comply with any of the notices,
then it may be considered as an offence under the UK DPA.24 The Information Commissioner
may impose a monetary penalty upon the data controller for contravention of data protection
principles.25 A data controller on whom any type of notice under the UK DPA has been served
by the Information Commissioner, has the right to file an appeal with the First-tier Tribunal.26

Australia

Under the Privacy Act, in case of a breach of the privacy principles, an individual can file a
complaint with the OAIC.27 Where it is not feasible to conciliate between the parties, the OAIC
may undertake an investigation and upon finding of a substantiated complaint, can direct the
respondent to not repeat such a conduct or perform a reasonable act to redress the loss suffered
by the individual.28 On an application by the OAIC, if the prescribed court is satisfied that the
respondent has contravened the provisions of the Privacy Act, it may order the respondent to
pay a penalty.29 The OAIC may also undertake the above on the basis of a suo moto action.30
Moreover, an application for review of an order made by the OAIC lies with the Administrative
Appeals Tribunal.31

Canada

In Canada, under the PIPEDA, the Privacy Commissioner may take cognizance of a complaint
filed by an individual or on its own.32 Upon filing of a complaint, the Privacy Commissioner
may conduct an investigation.33 Upon completion of investigation, the Privacy Commissioner
is required to prepare a report consisting of its findings and recommendations.34 On receiving
the report, the individual may apply to the court for a hearing in respect of the matter in relation
to which the complaint was made or that is referred to in the Privacy Commissioner’s report.35

21
Section 40, UK DPA.
22
Sections 41A, 41B, 41C and 42, UK DPA.
23
Section 43, UK DPA.
24
Section 47, UK DPA.
25
Sections 55A-55E, UK DPA.
26
Section 48, UK DPA read with ICO, “Information Commissioner’s guidance about the issue of monetary
penalties prepared and issued under section 55C(1) of the Data Protection Act 1998”, 3 (December 2015),
available at: https://ico.org.uk/media/for-organisations/documents/1043720/ico-guidance-on-monetary-
penalties.pdf, (last accessed 20 October 2017).
27
Section 36, Privacy Act.
28
Section 52, Privacy Act.
29
Section 80W, Privacy Act.
30
Section 52(1A) read with Section 40(2), Privacy Act.
31
Section 96, Privacy Act.
32
Section 11, PIPEDA.
33
Section 12, PIPEDA.
34
Section 13, PIPEDA.
35
Section 14, PIPEDA.
The court may direct the organization to correct its practices and award damages to the
complainant.36

South Africa

Under the POPI Act, the Information Regulator may undertake investigation into a complaint
submitted by a person for, inter alia, breach of the conditions of lawful processing of personal
information.37 The Information Regulator may also, on its own initiative, commence
investigation.38 On receipt of a complaint, the Information Regulator may conduct a pre-
investigation39, act as a conciliator, conduct a full investigation or refer the complaint to its
enforcement committee40. Where the Information Regulator is satisfied with the organization
has interfered with the protection of personal information of the complainant, the Information
Regulator may issue a notice directing the organization to take corrective steps accordingly. 41
A penalty may also be imposed on the organization.42 A right of appeal against the
direction/notice of the Information Commissioner lies with the High Court having the requisite
jurisdiction.43

3.4 Provisional Views

1. Given that under a data protection legal regime, government bodies and public authorities
may be considered as data controllers, an adjudicating officer appointed under the IT Act,
who is an officer of the government, may not be the appropriate body to adjudicate
disputes which involve violation of data protection obligations by such government
bodies and public authorities. Therefore, it may be appropriate for a separate,
independent body, such as, a data protection authority to adjudicate on disputes arising
between an individual and a data controller due to breach of any data protection
obligation.

2. It follows that an individual whose data protection rights have been violated may, at the
outset, first approach the data controller or a specific grievance redressal officer of the
data controller identified in this regard.

3. Where the data controller fails to resolve the complaint of the individual in a satisfactory
and expeditious manner, the individual may be given the right to file a complaint with
the data protection authority. Moreover, where the data protection authority observes any
violation by a data controller of any of the provisions of a data protection law, it may
initiate action against such data controller on a suo motu basis.

36
Section 16, PIPEDA.
37
Sections 73 and 74, POPI Act.
38
Section 76(3), POPI Act.
39
Section 79, POPI Act.
40
Section 92, POPI Act.
41
Section 95, POPI Act.
42
Section 109, POPI Act.
43
Section 97, POPI Act.
4. The data protection authority may be conferred with the power to appoint an adjudicating
officer who may have the requisite qualifications and expertise to inquire into the facts
of the complaint and adjudicate accordingly.

5. Given that the Appellate Tribunal has already been provided with the mandate to hear
appeals from adjudicating officers under the IT Act, it may be worthwhile to propose the
Appellate Tribunal as an appellate forum for any decision passed by a data protection
authority. This, of course, will be subject to suitable amendments to the TRAI Act along
with the constitution of specialised benches having the requisite technical knowledge and
expertise as required to achieve this purpose.

6. In addition to the powers described in the previous section on ‘Data Protection Authority’
(Part IV, Chapter 2 of the White Paper), the data protection authority may be given the
power to impose civil penalties as well as order the defaulting party to pay compensation.

7. Specifically, in case of compensation claims, the consumer fora set up under the
Consumer Protection Act, 1986 (COPRA) typically act as avenues for filing such claims.
However, it is relevant to note that given the vast number of data controllers operating in
the Indian market and the number of potential data protection violation claims that may
be brought by individuals, the consumer fora, especially at the district and state levels,
may not have the requisite capacity as well as the technical knowledge and expertise to
adjudicate on compensation claims arising from such violations. Moreover, if all
compensation claims lie with the consumer fora, it may not incentivise individuals to file
complaints with the data protection authority for enforcement and instead file claims
relating to compensation with the consumer fora.

8. Consequently, it may be proposed that matters in which compensation claims for injury
or damage does not exceed a prescribed threshold, may lie with the data protection
authority. Further, an appeal from an order of the data protection authority granting such
compensation and matters in which compensation claims for injury or damage exceeds
such threshold may lie with the National Commission Disputes Redressal Commission
(National Commission). This may be undertaken pursuant to requisite amendments to
the COPRA and by setting up benches with the requisite technical skills and expertise.

3.5 Questions

1. What are your views on the above?

2. Should the data protection authority have the power to hear and adjudicate complaints
from individuals whose data protection rights have been violated?
3. Where the data protection authority is given the power to adjudicate complaints from
individuals, what should be the qualifications and expertise of the adjudicating officer
appointed by the data protection authority to hear such matters?

4. Should appeals from a decision of the adjudicating officer lie with an existing appellate
forum, such as, the Appellate Tribunal (TDSAT)?

5. If not the Appellate Tribunal, then what should be the constitution of the appellate
authority?

6. What are the instances where the appellate authority should be conferred with original
jurisdiction? For instance, adjudication of disputes arising between two or more data
controllers, or between a data controller and a group of individuals, or between two or
more individuals.

7. How can digital mechanisms of adjudication and redressal (e.g. e-filing, video
conferencing etc.) be incorporated in the proposed framework?

8. Should the data protection authority be given the power to grant compensation to an
individual?

9. Should there be a cap (e.g. up to Rs. 5 crores) on the amount of compensation which may
be granted by the data protection authority? What should be this cap?

10. Can an appeal from an order of the data protection authority granting compensation lie
with the National Consumer Disputes Redressal Commission?

11. Should any claim for compensation lie with the district commissions and/or the state
commissions set under the COPRA at any stage?

12. In cases where compensation claimed by an individual exceeds the prescribed cap, should
compensation claim lie directly with the National Consumer Disputes Redressal
Commission?

13. Should class action suits be permitted?

14. How can judicial capacity be assessed? Would conducting judicial impact assessments
be useful in this regard?

15. Are there any alternative views other than the ones mentioned above?